1. Field of the Invention
The present invention relates to a technique for managing access restriction information in a storage system.
2. Description of the Related Art
In recent years, computers usually use an IP (Internet Protocol) network to connect to each other. A non-patent document by J. Satran, K. Meth, C. Sapuntzakis, M. Chadalapaka, E. Zeidner, “Internet Small Computer Systems Interface (iSCSI)”, RFC3720, April 2004, published by the IETF (Internet Engineering Task Force) describes a technique in which iSCSI (internet Small Computer Systems Interface) is used to connect a storage device such as RAID (Redundant Array of Independent Disks) to the IP (Internet Protocol) network, and a SCSI (Small Computer Systems Interface) command for the storage device is capsuled into an IP packet to be sent to the device. This technique enables a computer to control a storage device by using the IP network.
Likewise with SCSI, iSCSI uses the client/server model, including an initiator for sending a SCSI command to request a processing such as data input/out, and a target for responding to a request such as data input/output. iSCSI is defined as the iSCSI layer in network layers, which is positioned between the SCSI layer and the TCP/IP (Transmission Control Protocol/Internet Protocol) layer. The iSCSI layer receives a SCSI CDB (Command Describe Block), a response and data from the SCSI layer, and capsules them into an iSCSI PDU (Protocol Data Unit) which is sent through a TCP connection. The iSCSI layer also processes an iSCSI PDU received through the TCP connection to extract and pass to the SCSI layer, a SCSI CDB, a response and data. In iSCSI, for sending a SCSI CDB, transferring data, and sending a SCSI response, SCSI Command PDU, SCSI Data In/Out PDU, and SCSI Response PDU are respectively used.
In iSCSI, nodes such as the initiator and target each have an iSCSI name for their identification and management. The iSCSI name is required to be independent from any geographic information of an iSCSI node, to be universally unique, and to be fixed from activation to completion of an iSCSI node. Formats usable with these iSCSI names include iSCSI Qualified Name and Extended Unique Identifier.
In iSCSI, the initiator needs an IP address, a TCP port number and an iSCSI name of the target in order to establish an iSCSI session to the target. A non-patent document by M. Bakke, J. Hafner, J. Hufferd, K. Voruganti, M. Krueger, “Internet Small Computer Systems Interface (iSCSI) Naming and Discovery”, RFC3721, April 2004, describes the following three types of methods for the initiator to obtain the IP address, TCP port number and iSCSI name in iSCSI.
The first method is to directly set an IP address, a TCP port number and an iSCSI name to the initiator. The initiator uses the IP address and TCP port number of the target to establish a TCP connection, and uses the iSCSI name to establish an iSCSI connection.
The second method involves SendTargets, in which an IP address and a TCP port number are set in the initiator. The initiator uses the information to establish a discovery session with a network entity, to publish a SendTargets command for querying the target about an iSCSI name. Here, the network entity represents, for example, a device and a gateway accessable via the IP network. This second method is provided for an iSCSI gateway and an iSCSI router.
The third method is zero-configuration, in which no target information is set to the initiator. This method includes two types: the initiator directly multicasting to the target or sending a discovery message to a storage name server. Methods for realizing the discovery function of the target includes: use of SLP (Service Location Protocol) as described in RFC2608; and use of iSNS (Internet Storage Name Service) as described in RFC4171 (J. Tseng, K. Gibbons, F. Travostino, C. Du Laney, J. Souza, “Internet Storage Name Service (iSNS)”, RFC4171, September 2005).
Of these methods, the iSNS is usually used for a large storage network.
As discussed in RFC4171, iSNS is a technique for realizing, for example, name solution for the initiator and the target, and group management for the initiator and the target by means of DD (Discovery Domain), in an IP-SAN (Internet Protocol-Storage Area Network) using iSCSI.
In iSNS, the initiator on activation uses a DevAttrReg message to register target information to an iSNS server. The DevAttrReg message includes: Source Attribute representing an iSCSI node of the originating sender; Message Key Attribute to be used to determine whether or not the node is an existing one; Delimiter Attribute used as a delimiter; and Operating Attribute describing additional information.
When sending on activation a DevAttrReg message to the iSNS server, if the initiator includes a DD name in the DevAttrReg message, i.e., specifies a DD by means of the DevAttrReg message, then the initiator can belong to the specified DD (this method will be hereinafter referred to as a “DD specification method”). This allows the initiator to discover a target belonging to the specified DD.
In contrast, when sending on activation the DevAttrReg message to the iSNS server, if the initiator includes no DD name in the DevAttrReg message, i.e., specifies no DD by means of the DevAttrReg message, then the initiator does not belong to any DD (this method will be hereinafter referred to as a “non-belonging DD method”). When a DD name is not included in the DevAttrReg message, the initiator can be specified to belong to a default DD (this method will be hereinafter referred to as a “default specification method”). When specified to belong to the default DD, the initiator can discover a target belonging to the default DD.
Japanese Patent Application Laid-Open (Kokai) No. 2004-192305 discloses a technique for providing a storage device with an iSCSI name which is a storage identification information, in a corresponding manner to a change of status in a storage device such as copying and moving data.
However, in the above-described DD specification method, in the case that a host computer (hereinafter referred to as a “host”) uses a memory area in a storage device as a virtual memory area, and uses a memory area in another storage device (hereinafter referred to as an “external storage device”) connected to the host via the storage device, the host is incapable of registering to the iSNS server a DD to which the external storage device belongs, after creating a memory area of the external storage device. In other words, after creating a memory area in the external storage device, the host is incapable of making a setting such that it can manage the memory area in the external storage device.
Further, in the non-belonging DD method, in the case that the host uses a memory area of a storage device as a virtual memory area, and uses a memory area in an external storage device, the host can not register to the iSNS server a DD to which the external storage device belongs, after creating a memory area in the external storage device. In other words, after creating the memory area in the external storage device, the host can not make a setting such that it can manage the memory area in the external storage device.
Still further, in the default specification method, although the host can discover an external storage device if the external storage device belongs to a default DD, the host is disadvantageously registered to the default DD, thus allowing other hosts belonging to the default DD to access the storage device.
In addition, in the technique disclosed in Japanese Patent Application Laid-Open No. 2004-192305, in the case that the host uses a memory area in the storage device as a virtual memory area, and uses a memory area in the external storage device, the host is incapable of registering to the iSNS server a DD to which the external storage device belongs, after creating a memory area in the external storage device. In other words, after creating a memory area in the external storage device, the host can not make a setting such that it can manage the memory area in the external storage device.
To solve the above-described problems, therefore, the present invention aims to allow the host to manage the memory area in the external storage device after creating a memory area in the external storage device, thus preventing other hosts from accessing the storage device to protect data in the storage device.